News & Insights
Opinion21st July 2014
Why your organisation is more vulnerable to IT Security attacks than a year ago.
The security landscape has been changing for a while. It’s been making headlines for all the wrong reasons – from the Heartbleed bug to breaches at major enterprises – the pressure is on to tighten up your company’s defences.
Why are you more vulnerable to IT security attacks?
InformationWeek’s 2014 Strategic Security Survey revealed that 77% of the 536 respondents believe that their organisation is more vulnerable to attack than a year ago. This is due to a combination of the following:
- Increased sophistication of threats
- More ways to attack corporate networks
- Increased use of mobile devices/BYOD
- Increased volume of attacks
- Failure to enforce security policies
- Lack of patching
Why should I invest in IT Security?
As a business owner it can be difficult to commit to a spend that shows no tangible or immediate benefits. This is especially true of IT security. Unless a risk is realised you won’t see the ROI on your security strategy. That’s why it can be difficult to justify the expense based on a ‘what if’ scenario.
Think of it like health insurance – it’s there for that rainy day. The benefits extend beyond financial gain to reputation management, employee retention, and even business viability.
A lesson in IT Security – US retailer Target.
As a business owner you know you must do something about security – but often other priorities come first. But sidelining IT security could end up a costly mistake. The tale of US retailer Target is an example of how a security breach can threaten the viability and reputation of your business.
Towards the end of 2013 malware was installed in Target’s security and payments system which was designed to steal every credit card used at the company’s 1,797 stores. Target was prepared for such an attack having the foresight to invest in security to protect the business. The security software did its job and notified them of the attack, giving them time to resolve the issue without impact. But Target failed to react on time to it.
By the time they began to react the credit card data of their customers was long gone. The result? Sales and stock prices plummeted, 8 stores are due to close and they could be liable for the data breach. In the US you can be fined up to $90 for every individual breach – that amounts to $3.6 billion of a liability. Target Chairman and CEO Gregg Steinhafel was forced to resign after 35 years of service – he had been part of the Target family since 1979.
‘Our business is unlikely to be a(nother) Target’
Target is an example of how badly things can go wrong when security warnings are ignored. But how does this translate to your business? Just because you aren’t playing in the same arena as Target does not mean you are less vulnerable. Many hackers now have the small business in their line of sight. They know that they are often easy targets as security policies are not a top priority.
It’s not just hackers that can pose a risk; your own staff could unwittingly bring your network down. What they may see as harmless and not give a second thought to – connecting a personal device to your corporate network – could bring your entire organisation to a halt. (Read our last blog post to learn how employees can play their part in keeping your company safe from IT security risks)
The fallout of an attack or IT security breach:
- Network or business applications unavailable
- Financial loss
- Intellectual property theft
- Internal records lost or damaged
- Customer records compromised
- Violated government regulations regarding security
- Legal liability
Get the basics of IT Security right – some tips.
There are varied reasons why you might not be in a position to fully invest in your IT security systems. But small changes can make a real difference to how safe your IT environment is. You can be proactive – and to help you with this we have put together some recommendations that you should put into immediate practice in your organisation, and share with your employees. These are not designed to replace a security strategy – you should talk to your IT team or IT provider to establish what is in place and what part you and your team can play to maintain it.
1. Restrict access to sensitive data.
Your organisation’s intellectual property is your most valuable asset. You have vast amounts of data about clients, employees, suppliers as well as strategic business information. This information which you rely on to do business could be stolen for personal gain. Build controls to protect against misuse and restrict access to designated people.
2. Encrypt Devices.
This is a no brainer. If a device is stolen or lost and the information within it is not encrypted prepare to lose money and have potentially sensitive data released.
3. Back up your data.
Another obvious one. Make sure your data is backed up – don’t save important work directly onto your device – save it onto the corporate network which should be backed up regularly as part of your IT agreement. If a device is lost, stolen or the network is breached having your data backed up with let you get back to work with minimal downtime.
4. Limit web usage.
Legitimate websites can be an unwitting facilitator of a security breach. For example, websites with poor patch management have become a target for ‘watering hole’ attacks. A watering hole attack is where a hacker observes which sites the company uses on a regular basis and infects it with malware. They then wait for the user to get infected and make their way into the network. Limit web usage to the sites needed to do business and make employees aware of this type of attack.
5. Enforce password policies.
Verify with your IT team or provider that all passwords are unique and there are no default or weak, easily identifiable passwords in use.
6. Review user accounts.
When an employee leaves the company or gives notice disable access to sensitive information and make sure to change passwords to user accounts they previously used.
IT Security should be enforced company wide.
Attacks are evolving every day and as hackers add new tools to their arsenal it’s no surprise that major security breaches are on the increase. But the majority of these attacks can be prevented. Stay informed and make sure your company moves from basic perimeter security to a company-wide security strategy. Ask your IT team to establish how ready your organisation is to respond to an incident. And remember – an all-encompassing approach is needed, with the right stakeholders involved, with continual review and improvement.
Feel free to touch base with us if you have any concerns or questions around your IT security – we’d be happy to advise and guide you. Email firstname.lastname@example.org or give us a call on 061 337 632.